We’re always listening to your feedback about Microsoft Authenticator and what we can do to make the app more secure and easier for end users. A few years ago, we released our App Lock feature in response to feedback that you wanted to make sure your app was secured by a PIN or biometric. Last month, we expanded App Lock’s protection. Now, if App Lock is enabled, when you approve any notification, you’ll also have to provide your PIN or biometric.
With our latest release, as part of our effort to make your sign-in experience even more secure, App Lock will be enabled by default if you’ve set up a PIN or biometric on your device.
Try it out
If you don’t have the Microsoft Authenticator app yet, get it here. You’ll need to be on version 6.4.22+ on iOS to try this out.
We’ve been rolling out this feature to iOS TestFlight starting today, and we’ll be gradually rolling out to all users over the next few weeks. The update will come to Android next month.
How different notifications will work
Azure AD and MSA MFA notifications
Currently, when the notification arrives on the phone, you can click approve/deny from the lock screen. However, when app lock is enabled, you will have to launch the app (on iOS) or launch a dialog (on Android) before you can click approve/deny, and you’ll also need to provide an additional PIN/bio gesture to successfully authenticate. Thus, even if you leave your phone unlocked on your desk and walk away, a passerby cannot approve the notification for you.
Enterprise on-premise MFA notifications that already require a PIN
The flow will remain as it is today. After you interact with the notification, you will need to provide your MFA pin (not your device pin). In subsequent approvals, you will have the option to use your device bio gesture instead of your MFA pin.